首页 发现 帮助
登录
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

qcacmn: Fix OOB read in util_scan_gen_scan_entry

qdf_mem_copy() is called in util_scan_gen_scan_entry() to copy the ssid
into scan_entry using a length of WLAN_SSID_MAX_LEN. Because the length
of ssid is only checked against the maximum value this will result
in an OOB read of up to WLAN_SSID_MAX_LEN bytes.

Change-Id: I150e7c7a75e7134cab1c4abeb799578166400461
CRs-Fixed: 2341004
Harprit Chhabada 6 年之前
父节点
dc949c59be
当前提交
ab6c10d3bd
共有 1 个文件被更改,包括 1 次插入1 次删除
分列视图 显示文件统计
  1. 1 1
      umac/scan/dispatcher/src/wlan_scan_utils_api.c

+ 1 - 1
umac/scan/dispatcher/src/wlan_scan_utils_api.c
查看文件 

@@ -1084,7 +1084,7 @@ util_scan_gen_scan_entry(struct wlan_objmgr_pdev *pdev,
 
 		scan_entry->ie_list.ssid = NULL;
 
 	} else {
 
 		qdf_mem_copy(scan_entry->ssid.ssid,
 
-				ssid->ssid, WLAN_SSID_MAX_LEN);
 
+				ssid->ssid, ssid->ssid_len);
 
 		scan_entry->ssid.length = ssid->ssid_len;
 
 		scan_entry->hidden_ssid_timestamp =
 
 			scan_entry->scan_entry_time;